Skip to content

Publish to PyPI via AWS Secrets Manager (OIDC)#531

Merged
AndreyVMarkelov merged 2 commits into
mainfrom
fix-pypi-publish-oidc
Jul 10, 2026
Merged

Publish to PyPI via AWS Secrets Manager (OIDC)#531
AndreyVMarkelov merged 2 commits into
mainfrom
fix-pypi-publish-oidc

Conversation

@AndreyVMarkelov

Copy link
Copy Markdown
Contributor

Summary

The v12.1.0 publish (release #530 → tag v12.1.0) built and twine checked cleanly but failed at upload with 403 Forbidden: secrets.pypi_secret is no longer configured on this repo, so TWINE_PASSWORD was empty.

dropbox/stone already migrated its publishing off GitHub secrets to a PyPI token fetched from AWS Secrets Manager via GitHub OIDC. This PR mirrors that approach so dropbox-sdk-python publishes the same way.

Changes

.github/workflows/pypiupload.yml:

  • Add permissions: id-token: write for OIDC.
  • Assume an AWS IAM role via aws-actions/configure-aws-credentials, then fetch the PyPI token with aws-actions/aws-secretsmanager-get-secrets.
  • Use that token for twine upload (replaces the empty secrets.pypi_secret).
  • Add workflow_dispatch so a maintainer can re-trigger publishing without cutting a new release.

⚠️ Requires infra provisioning before it works

The role-to-assume and secret-ids ARNs are placeholders scoped to this repo and must be provisioned for dropbox-sdk-python:

  • arn:aws:iam::082972943155:role/oidc-github-dropbox-sdk-python-repo — IAM role with a trust policy allowing this repo's OIDC subject (stone's role won't work; its trust policy is repo-scoped).
  • arn:aws:secretsmanager:us-west-2:082972943155:secret:pypi-api-token-dropbox-sdk-python — Secrets Manager secret holding a PyPI API token scoped to the dropbox project.

Please confirm/adjust these ARNs to match what's provisioned.

Publishing v12.1.0 after merge

Tag v12.1.0 and its GitHub Release already exist; only the upload failed. Once this is merged and the AWS resources exist, publish via Actions → Publish to PyPi → Run workflow (workflow_dispatch), or re-run the failed release run.

Refs #528

The v12.1.0 release failed to upload because secrets.pypi_secret is no
longer set on this repo (403 Forbidden, empty token). The dropbox/stone
repo already migrated publishing off GitHub secrets to a PyPI token
fetched from AWS Secrets Manager via GitHub OIDC; mirror that here.

The role-to-assume and secret ARNs are placeholders scoped to this repo
-- they must be provisioned for dropbox-sdk-python before the workflow
can authenticate (stone's ARNs will not work, as the IAM trust policy
is scoped to a single repo).

Also adds workflow_dispatch so a maintainer can re-trigger the publish
without cutting a new release.
@codecov

codecov Bot commented Jul 9, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 65.12%. Comparing base (48d8f81) to head (f940012).

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #531   +/-   ##
=======================================
  Coverage   65.12%   65.12%           
=======================================
  Files          31       31           
  Lines       54897    54897           
  Branches     3902     3902           
=======================================
  Hits        35749    35749           
  Misses      18989    18989           
  Partials      159      159           
Flag Coverage Δ
integration 65.03% <ø> (ø)
unit 64.57% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

The role-to-assume used the wrong name: the provisioned role encodes both the
org and the repo (dropbox / dropbox-sdk-python), so it is
oidc-github-dropbox-dropbox-sdk-python-repo, not
oidc-github-dropbox-sdk-python-repo. The old name would never resolve and the
OIDC assume would fail.

Also reference the PyPI secret by its friendly name instead of a full ARN.
Secrets Manager appends a random suffix to the ARN, so the name is the stable
identifier and avoids hardcoding a suffix that is not known until the secret
is created.
@AndreyVMarkelov AndreyVMarkelov merged commit 3adc6c9 into main Jul 10, 2026
31 checks passed
@AndreyVMarkelov AndreyVMarkelov deleted the fix-pypi-publish-oidc branch July 10, 2026 03:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants